mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-08-04 18:00:08 +00:00
refactor: handle paramKind directly
remove hacks that might conceal errors
This commit is contained in:
Alexander Zielenski
parent
6d5133f3ec
commit
acf1d850c6
@ -18,14 +18,13 @@ package generic
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"k8s.io/api/admissionregistration/v1beta1"
|
"k8s.io/api/admissionregistration/v1beta1"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
||||||
"k8s.io/apimachinery/pkg/types"
|
"k8s.io/apimachinery/pkg/types"
|
||||||
)
|
)
|
||||||
|
|
||||||
type PolicyAccessor interface {
|
type PolicyAccessor interface {
|
||||||
GetName() string
|
GetName() string
|
||||||
GetNamespace() string
|
GetNamespace() string
|
||||||
GetParamKind() *schema.GroupVersionKind
|
GetParamKind() *v1beta1.ParamKind
|
||||||
GetMatchConstraints() *v1beta1.MatchResources
|
GetMatchConstraints() *v1beta1.MatchResources
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -85,6 +85,9 @@ type compiledPolicyEntry[E Evaluator] struct {
|
|||||||
type PolicyHook[P runtime.Object, B runtime.Object, E Evaluator] struct {
|
type PolicyHook[P runtime.Object, B runtime.Object, E Evaluator] struct {
|
||||||
Policy P
|
Policy P
|
||||||
Bindings []B
|
Bindings []B
|
||||||
|
|
||||||
|
// ParamInformer is the informer for the param CRD for this policy, or nil if
|
||||||
|
// there is no param or if there was a configuration error
|
||||||
ParamInformer informers.GenericInformer
|
ParamInformer informers.GenericInformer
|
||||||
ParamScope meta.RESTScope
|
ParamScope meta.RESTScope
|
||||||
|
|
||||||
@ -157,7 +160,7 @@ func (s *policySource[P, B, E]) Run(ctx context.Context) error {
|
|||||||
}
|
}
|
||||||
defer func() {
|
defer func() {
|
||||||
if err := s.policyInformer.RemoveEventHandler(handle); err != nil {
|
if err := s.policyInformer.RemoveEventHandler(handle); err != nil {
|
||||||
utilruntime.HandleError(fmt.Errorf("failed to remove policy event handler: %v", err))
|
utilruntime.HandleError(fmt.Errorf("failed to remove policy event handler: %w", err))
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
@ -167,7 +170,7 @@ func (s *policySource[P, B, E]) Run(ctx context.Context) error {
|
|||||||
}
|
}
|
||||||
defer func() {
|
defer func() {
|
||||||
if err := s.bindingInformer.RemoveEventHandler(bindingHandle); err != nil {
|
if err := s.bindingInformer.RemoveEventHandler(bindingHandle); err != nil {
|
||||||
utilruntime.HandleError(fmt.Errorf("failed to remove binding event handler: %v", err))
|
utilruntime.HandleError(fmt.Errorf("failed to remove binding event handler: %w", err))
|
||||||
}
|
}
|
||||||
}()
|
}()
|
||||||
|
|
||||||
@ -231,7 +234,7 @@ func (s *policySource[P, B, E]) refreshPolicies() {
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
// An error was generated while syncing policies. Mark it as dirty again
|
// An error was generated while syncing policies. Mark it as dirty again
|
||||||
// so we can retry later
|
// so we can retry later
|
||||||
utilruntime.HandleError(fmt.Errorf("encountered error syncing policies: %v. Rescheduling policy sync", err))
|
utilruntime.HandleError(fmt.Errorf("encountered error syncing policies: %w. Rescheduling policy sync", err))
|
||||||
s.notify()
|
s.notify()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -299,8 +302,26 @@ func (s *policySource[P, B, E]) calculatePolicyData() ([]PolicyHook[P, B, E], er
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
var parsedParamKind *schema.GroupVersionKind
|
||||||
policyAccessor := s.newPolicyAccessor(policySpec)
|
policyAccessor := s.newPolicyAccessor(policySpec)
|
||||||
paramInformer, paramScope, configurationError := s.ensureParamsForPolicyLocked(policyAccessor.GetParamKind())
|
|
||||||
|
if paramKind := policyAccessor.GetParamKind(); paramKind != nil {
|
||||||
|
groupVersion, err := schema.ParseGroupVersion(paramKind.APIVersion)
|
||||||
|
if err != nil {
|
||||||
|
errs = append(errs, fmt.Errorf("failed to parse paramKind APIVersion: %w", err))
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
parsedParamKind = &schema.GroupVersionKind{
|
||||||
|
Group: groupVersion.Group,
|
||||||
|
Version: groupVersion.Version,
|
||||||
|
Kind: paramKind.Kind,
|
||||||
|
}
|
||||||
|
|
||||||
|
// TEMPORARY UNTIL WE HAVE SHARED PARAM INFORMERS
|
||||||
|
usedParams[*parsedParamKind] = struct{}{}
|
||||||
|
}
|
||||||
|
|
||||||
|
paramInformer, paramScope, configurationError := s.ensureParamsForPolicyLocked(parsedParamKind)
|
||||||
result = append(result, PolicyHook[P, B, E]{
|
result = append(result, PolicyHook[P, B, E]{
|
||||||
Policy: policySpec,
|
Policy: policySpec,
|
||||||
Bindings: bindingSpecs,
|
Bindings: bindingSpecs,
|
||||||
@ -310,11 +331,6 @@ func (s *policySource[P, B, E]) calculatePolicyData() ([]PolicyHook[P, B, E], er
|
|||||||
ConfigurationError: configurationError,
|
ConfigurationError: configurationError,
|
||||||
})
|
})
|
||||||
|
|
||||||
// TEMPORARY UNTIL WE HAVE SHARED PARAM INFORMERS
|
|
||||||
if paramKind := policyAccessor.GetParamKind(); paramKind != nil {
|
|
||||||
usedParams[*paramKind] = struct{}{}
|
|
||||||
}
|
|
||||||
|
|
||||||
// Should queue a re-sync for policy sync error. If our shared param
|
// Should queue a re-sync for policy sync error. If our shared param
|
||||||
// informer can notify us when CRD discovery changes we can remove this
|
// informer can notify us when CRD discovery changes we can remove this
|
||||||
// and just rely on the informer to notify us when the CRDs change
|
// and just rely on the informer to notify us when the CRDs change
|
||||||
|
|||||||
@ -23,7 +23,6 @@ import (
|
|||||||
"k8s.io/api/admissionregistration/v1beta1"
|
"k8s.io/api/admissionregistration/v1beta1"
|
||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/runtime"
|
"k8s.io/apimachinery/pkg/runtime"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
||||||
"k8s.io/apimachinery/pkg/types"
|
"k8s.io/apimachinery/pkg/types"
|
||||||
"k8s.io/apiserver/pkg/admission/plugin/policy/generic"
|
"k8s.io/apiserver/pkg/admission/plugin/policy/generic"
|
||||||
"k8s.io/apiserver/pkg/admission/plugin/policy/matching"
|
"k8s.io/apiserver/pkg/admission/plugin/policy/matching"
|
||||||
@ -111,9 +110,8 @@ func TestPolicySourceHasSyncedInitialList(t *testing.T) {
|
|||||||
ObjectMeta: metav1.ObjectMeta{
|
ObjectMeta: metav1.ObjectMeta{
|
||||||
Name: "policy2",
|
Name: "policy2",
|
||||||
},
|
},
|
||||||
ParamKind: &schema.GroupVersionKind{
|
ParamKind: &v1beta1.ParamKind{
|
||||||
Group: "policy.example.com",
|
APIVersion: "policy.example.com/v1",
|
||||||
Version: "v1",
|
|
||||||
Kind: "FakeParam",
|
Kind: "FakeParam",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -179,7 +177,7 @@ type FakePolicy struct {
|
|||||||
metav1.TypeMeta
|
metav1.TypeMeta
|
||||||
metav1.ObjectMeta
|
metav1.ObjectMeta
|
||||||
|
|
||||||
ParamKind *schema.GroupVersionKind
|
ParamKind *v1beta1.ParamKind
|
||||||
}
|
}
|
||||||
|
|
||||||
var _ generic.PolicyAccessor = &FakePolicy{}
|
var _ generic.PolicyAccessor = &FakePolicy{}
|
||||||
@ -201,7 +199,7 @@ func (fp *FakePolicy) GetNamespace() string {
|
|||||||
return fp.Namespace
|
return fp.Namespace
|
||||||
}
|
}
|
||||||
|
|
||||||
func (fp *FakePolicy) GetParamKind() *schema.GroupVersionKind {
|
func (fp *FakePolicy) GetParamKind() *v1beta1.ParamKind {
|
||||||
return fp.ParamKind
|
return fp.ParamKind
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -18,7 +18,6 @@ package validating
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"k8s.io/api/admissionregistration/v1beta1"
|
"k8s.io/api/admissionregistration/v1beta1"
|
||||||
"k8s.io/apimachinery/pkg/runtime/schema"
|
|
||||||
"k8s.io/apimachinery/pkg/types"
|
"k8s.io/apimachinery/pkg/types"
|
||||||
"k8s.io/apiserver/pkg/admission/plugin/policy/generic"
|
"k8s.io/apiserver/pkg/admission/plugin/policy/generic"
|
||||||
)
|
)
|
||||||
@ -47,32 +46,8 @@ func (v *validatingAdmissionPolicyAccessor) GetName() string {
|
|||||||
return v.Name
|
return v.Name
|
||||||
}
|
}
|
||||||
|
|
||||||
func (v *validatingAdmissionPolicyAccessor) GetParamKind() *schema.GroupVersionKind {
|
func (v *validatingAdmissionPolicyAccessor) GetParamKind() *v1beta1.ParamKind {
|
||||||
paramKind := v.Spec.ParamKind
|
return v.Spec.ParamKind
|
||||||
if paramKind == nil {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
groupVersion, err := schema.ParseGroupVersion(paramKind.APIVersion)
|
|
||||||
if err != nil {
|
|
||||||
// A validatingadmissionpolicy which passes validation should have
|
|
||||||
// a parseable APIVersion for its ParamKind, so this should never happen
|
|
||||||
// if the policy is valid.
|
|
||||||
//
|
|
||||||
// Return a bogus but non-nil GVK that will throw an error about the
|
|
||||||
// invalid APIVersion when the param is looked up.
|
|
||||||
return &schema.GroupVersionKind{
|
|
||||||
Group: paramKind.APIVersion,
|
|
||||||
Version: "",
|
|
||||||
Kind: paramKind.Kind,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
return &schema.GroupVersionKind{
|
|
||||||
Group: groupVersion.Group,
|
|
||||||
Version: groupVersion.Version,
|
|
||||||
Kind: paramKind.Kind,
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (v *validatingAdmissionPolicyAccessor) GetMatchConstraints() *v1beta1.MatchResources {
|
func (v *validatingAdmissionPolicyAccessor) GetMatchConstraints() *v1beta1.MatchResources {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user